diff --git a/files/nginx.conf b/files/nginx.conf index d3e1d3b..5106a13 100644 --- a/files/nginx.conf +++ b/files/nginx.conf @@ -70,7 +70,3 @@ http { # } #} } - -stream { - include tcpconf.d/*.conf -} diff --git a/handlers/main.yml b/handlers/main.yml index acb1b3e..c5bb9d5 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,6 @@ --- # handlers file for nginx-ssl +- name: restart nginx + service: + name: nginx + state: restarted diff --git a/tasks/create_cert.yml b/tasks/create_cert.yml index 9e738ca..eff8db9 100644 --- a/tasks/create_cert.yml +++ b/tasks/create_cert.yml @@ -1,10 +1,5 @@ # create_cert.yml --- -- name: Create certs directory if it doesn't exist - file: - path: /etc/nginx/certs/ - state: directory - - name: Create certificate directory for domain if it doesn't exist file: path: /etc/nginx/certs/{{ item.domain }} @@ -31,3 +26,5 @@ privatekey_path: /etc/nginx/certs/{{ item.domain }}/privkey.pem provider: selfsigned when: result is failure + notify: restart nginx + diff --git a/tasks/main.yml b/tasks/main.yml index c47909e..b94d37e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -9,6 +9,7 @@ ansible.builtin.copy: src: files/nginx.conf dest: /etc/nginx/nginx.conf + notify: restart nginx - name: ensure conf.d exists ansible.builtin.file: @@ -18,15 +19,46 @@ - name: deploy service config(s) ansible.builtin.template: src: templates/server.conf - dest: /etc/nginx/conf.d/{{ item.domain }} + dest: /etc/nginx/conf.d/{{ item.domain }}.conf loop: "{{ domains }}" + notify: restart nginx -- name: check if /etc/nginx/certs exists and is a symlink - ansible.builtin.command: '[ -L "/etc/nginx/certs" ]' +- name: check if letsencrypt is set up + ansible.builtin.command: '[ -d "/etc/letsencrypt/" ]' register: result ignore_errors: true +- name: check if letsencrypt is set up + ansible.builtin.command: '[ -d "/etc/nginx/certs/" ]' + register: result2 + ignore_errors: true + +- name: delete folder if exists + ansible.builtin.file: + state: absent + path: /etc/nginx/certs + when: (result is succeeded and result2 is succeeded) or (result is failed and result2 is failed) + +- name: create symlink + ansible.builtin.file: + src: /etc/letsencrypt/live + dest: /etc/nginx/certs + state: link + when: result is succeeded + notify: restart nginx + +- name: Create certs directory if it doesn't exist + file: + path: /etc/nginx/certs/ + state: directory + when: result is failed + - include_tasks: create_cert.yml when: result is failed loop: "{{ domains }}" - + +- name: ensure nginx is running + service: + name: nginx + state: started + enabled: yes diff --git a/templates/server.conf b/templates/server.conf index 1759994..2b36d9b 100644 --- a/templates/server.conf +++ b/templates/server.conf @@ -1,13 +1,13 @@ server { - listen 443 ssl proxy_protocol; + listen 443 ssl; server_name {{ item.domain }} ; resolver 172.16.40.20; set $backend "http://localhost:{{ item.port }}"; set $certbot "http://localhost"; - ssl_certificate /etc/nginx/certs/{{ item.domain }}.actcur.com/fullchain.pem; - ssl_certificate_key /etc/nginx/certs/{{ item.domain }}.actcur.com/privkey.pem; + ssl_certificate /etc/nginx/certs/{{ item.domain }}/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/{{ item.domain }}/privkey.pem; location /.well-known/acme-challenge/ { proxy_pass $certbot; @@ -17,7 +17,9 @@ server { ssl_session_cache shared:SSL:10m; client_max_body_size 1024m; location / { - allow 192.168.0.0/16; + + deny 172.16.41.60 + allow 172.16.0.0/16; deny all; proxy_pass $backend; diff --git a/vars/main.yml b/vars/main.yml index 2cb1fe2..e4d3e1f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -4,7 +4,5 @@ domains: - domain: privtorrents.actcur.com port: 8112 - - domain: test.actcur.com - port: 8113 # end of file